Forum Discussion

RichardOwen's avatar
RichardOwen
Copper Contributor
Oct 20, 2022

Querying the Heartbeat table

Hi,

 

I've recently started using Microsoft Sentinel and trying to understand the idiosyncracies of using KQL in Log Analytics. I've searched Microsoft Docs and this Tech Community but haven't found an answer to this issue.

 

Question: why does the Version field in the Heartbeat table not always appear in results?

 

Examples:

 

(1) this query shows the Version field (taken from Settings > Workspace settings > Agents management > 'See them in Logs' link)

Heartbeat
| where OSType == 'Windows'
| where Category != 'Azure Monitor Agent'
| summarize arg_max(TimeGenerated, *) by SourceComputerId

 

(2) this query shows the Version field when run immediately after the first query above.

Heartbeat
| where OSType == 'Windows'
| where Category != 'Azure Monitor Agent'
| where Version == ""
| summarize arg_max(TimeGenerated, *) by SourceComputerId

 

(3) this query does NOT show the Version field.

Heartbeat
| where OSType == 'Windows'
| where Category != 'Azure Monitor Agent'
| where Version == ""
| summarize by Computer, Version

 

(4) running the second query again, after running the third query returns results WITHOUT the Version field appearing. When I run the first query again, then the second query, the Version field appears again.

 

Thank you in advance to anyone who can explain this to me.

 

 

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    KQL will drop a column if its empty from the results, you can also use isempty(Version) or isnotempty(Version) rather than == "".
    I suspect what you are seeing is caching in action. Just add Version to any project or summarize where it's needed. I don't have any data that has the empty column for Version so don't see this in my logs, or the demo data from Microsoft.
    • CDC_Analyst's avatar
      CDC_Analyst
      Copper Contributor
      Thank you for your reply, that's quite a nice feature, now that I'm aware of it!

Resources